View Full Version : Smitfraud-C.Toolbar888 infection
cool_boy_86_2004
2007-05-23, 22:47
Man!!! my system was runnin so good then I got thes malware thing that showed up on spybot!! I love that Program it has saved me many dollers on repairs and I turn that savings into profit I donate to spybot!! now if only I could get rid of this dumb thing and be running smooth again!! Someone pleas help me!!
here is everything you asked for I think if not let me know and illsee what I can do!!!! I tryed running the internet scan but it kept freezing my system!!
Logfile of HijackThis v1.99.1
Scan saved at 2:46:52 PM, on 5/23/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe
C:\WINDOWS\system32\VTTimer.exe
C:\Program Files\ATI Multimedia\RemCtrl\ATIX10.exe
C:\Program Files\ATI Multimedia\main\LaunchPd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\CCleaner\ccleaner.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\rundll32.exe
C:\HJT\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.shsu.edu/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {17234011-95ae-411c-b4cf-8d85bbc28816} - C:\WINDOWS\system32\cmdMGR.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {A24B57F8-505D-4fc5-9960-740E304D1ABA} - C:\WINDOWS\system32\tmp9.tmp.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [kis] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe"
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\RunServices: [p2p networking] p2pnetworking.exe
O4 - HKCU\..\Run: [ATI Remote Control] C:\Program Files\ATI Multimedia\RemCtrl\ATIX10.exe
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\LaunchPd.exe"
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp /HIDEBL
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ccleaner] "C:\Program Files\CCleaner\ccleaner.exe" /AUTO
O8 - Extra context menu item: Add to Kaspersky Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\\ie_banner_deny.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Web Anti-Virus - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\scieplugin.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1170817119390
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O20 - Winlogon Notify: cmdMGR - C:\WINDOWS\SYSTEM32\cmdMGR.dll
O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Kaspersky Internet Security 6.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe" -r (file missing)
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)
miekiemoes
2007-05-25, 13:03
Hello,
It is important you don't miss a step and perform everything in the right order!!
I see you are running Teatimer.
I suggest you to disable it because it can interfere with the changes you'll make on your system.
When everything is done and your log is clean again, you can enable it again.
If teatimer gives you a warning afterwards that some changes were made, allow this instead of blocking it.
How to disable TeaTimer during HijackThis Cleanup (http://russelltexas.com/malware/teatimer.htm)
Then, Download ResetTeaTimer.bat (http://downloads.subratam.org/ResetTeaTimer.bat).
Double click ResetTeaTimer.bat to remove all entries set by TeaTimer.
* Download Brute Force Uninstaller (http://www.merijn.org/files/bfu.zip).
Unzip it to a folder of it’s own (c:\BFU).
Read here how to unzip/extract properly:
http://metallica.geekstogo.com/xpcompressedexplanation.html
Start the Brute Force Uninstaller by doubleclicking BFU.exe
Next to the 'scriptfile to execute'-window you'll see a little icon as shown in next picture: http://users.telenet.be/bluepatchy/miekiemoes/images/bfuicon.gif
When you click that icon, a little window will open that says: 'Please enter the full URL to the sript you want to execute'
In the field, copy and paste next URL:
http://metallica.geekstogo.com/alcanshorty.bfu
Click Ok.
Then click execute in Brute Force Uninstaller.
Extra note:
If nothing happens after pressing the Execute button, this means that the script didn't download. In that case, download the script
( alcanshorty.bfu ) manually from above url ( rightclick on it and choose 'save as' and save it in your BFU-folder). Then start BFU.exe again and click the browse button next to the 'scriptfile to execute'-window
Browse to the script you downloaded and Click Ok and Execute in Brute Force Uninstaller.
Wait for the complete script execution box to popup and press OK.
Press exit to terminate the BFU program.
--------------------
* Download Combofix (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your desktop.
Doubleclick combofix.exe
Follow the prompts.
Don't click on the window while the fix is running, because that will cause your system to hang.
When finished and after reboot (in case it asks to reboot), it should open a log, combofix.txt.
Post next logs in your following reply:
Log from combofix (combofix.txt) - do NOT post the ComboFix-quarantined-files.txt - unless I ask you to
New HijackThislog
cool_boy_86_2004
2007-05-27, 07:05
hi!!
"Josh" - 2007-05-26 23:51:43 Service Pack 2
ComboFix 07-05.27.V - Running from: "C:\Documents and Settings\Josh\Desktop\"
(((((((((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))
C:\WINDOWS\system32\cmdMGR.dll
* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
"C:\WINDOWS\system32\wnsapicc.exe"
"C:\WINDOWS\system32\tmp10.tmp.dll"
"C:\WINDOWS\system32\tmp13.tmp.dll"
"C:\WINDOWS\system32\tmp17.tmp.dll"
"C:\WINDOWS\system32\tmp1B.tmp.dll"
"C:\WINDOWS\system32\tmp1C.tmp.dll"
"C:\WINDOWS\system32\tmp1F.tmp.dll"
"C:\WINDOWS\system32\tmp2.tmp.dll"
"C:\WINDOWS\system32\tmp27.tmp.dll"
"C:\WINDOWS\system32\tmp3.tmp.dll"
"C:\WINDOWS\system32\tmp5.tmp.dll"
"C:\WINDOWS\system32\tmp6.tmp.dll"
"C:\WINDOWS\system32\tmp6D.tmp.dll"
"C:\WINDOWS\system32\tmp6E.tmp.dll"
"C:\WINDOWS\system32\tmp9.tmp.dll"
"C:\WINDOWS\system32\tmpA.tmp.dll"
"C:\WINDOWS\system32\tmpC.tmp.dll"
"C:\Program Files\Common Files\{B8BB6~1\Update.exe"
"C:\Program Files\Common Files\{B8BB6~2\Update.exe"
"C:\Program Files\Common Files\{38BB6~1"
"C:\Program Files\Common Files\{B8BB6~1"
"C:\Program Files\Common Files\{B8BB6~2"
Purity Folders:
C:\DOCUME~1\Josh\APPLIC~1\FNTS~1
((((((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
-------\LEGACY_CLIENT_IP-IPX
((((((((((((((((((((((((((((((( Files Created from 2007-04-26 to 2007-05-26 ))))))))))))))))))))))))))))))))))
2007-05-26 23:48 <DIR> d-------- C:\bintheredunthat
2007-05-24 21:55 88,203 --a------ C:\WINDOWS\agrsmmsg.exe
2007-05-24 21:55 68,096 --a------ C:\WINDOWS\agrsmdel.exe
2007-05-24 21:55 45,056 --a------ C:\WINDOWS\cfdemo.scr
2007-05-24 21:55 431,801 --a------ C:\WINDOWS\Aktivierungscode.exe
2007-05-24 21:55 20,966,970 --a------ C:\WINDOWS\cfdemo.exe
2007-05-24 21:55 2,807,808 --a------ C:\WINDOWS\alcwzrd.exe
2007-05-24 21:50 106,540 --a------ C:\WINDOWS\yabbay.dll
2007-05-24 21:42 10,752 --a------ C:\WINDOWS\system32\aamd532.dll
2007-05-24 20:14 4 --a------ C:\WINDOWSRegDefrag.dat
2007-05-24 11:46 106,469 --a------ C:\WINDOWS\wvvusq.dll
2007-05-23 15:05 106,484 --a------ C:\WINDOWS\wvtrrr.dll
2007-05-23 13:05 524,288 --ah----- C:\DOCUME~1\ADMINI~1\NTUSER.DAT
2007-05-23 12:08 106,531 --a------ C:\WINDOWS\tusron.dll
2007-05-23 11:59 <DIR> d-------- C:\HJT
2007-05-23 10:30 106,474 --a------ C:\WINDOWS\wvttuv.dll
2007-05-22 23:43 <DIR> d-------- C:\VundoFix Backups
2007-05-22 22:38 106,395 --a------ C:\WINDOWS\cbbbcy.dll
2007-05-22 22:33 34,760 --a------ C:\WINDOWS\system32\ssttu.exe
2007-05-15 11:19 <DIR> d-------- C:\DOCUME~1\Josh\APPLIC~1\Viewpoint
(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-05-27 04:54:41 -------- d-----w C:\Program Files\Kaspersky Lab
2007-05-24 18:21:39 -------- d-----w C:\Program Files\ATI Technologies
2007-05-12 22:45:52 -------- d-----w C:\DOCUME~1\Josh\APPLIC~1\uTorrent
2007-04-18 23:01:02 -------- d-----w C:\Program Files\LimeWire
2007-04-18 22:32:36 -------- d-----w C:\DOCUME~1\Josh\APPLIC~1\Systweak
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-12 17:40:56 -------- d-----w C:\DOCUME~1\Josh\APPLIC~1\Ahead
2007-04-05 04:16:39 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-04-05 04:16:39 -------- d-----w C:\Program Files\Google
2007-04-01 03:37:49 -------- d-----w C:\DOCUME~1\Josh\APPLIC~1\ATI MMC
2007-03-17 13:43:01 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll
2007-03-08 15:36:28 577,536 ----a-w C:\WINDOWS\system32\user32.dll
2007-03-08 15:36:28 40,960 ----a-w C:\WINDOWS\system32\mf3216.dll
2007-03-08 15:36:28 281,600 ----a-w C:\WINDOWS\system32\gdi32.dll
2007-03-08 13:47:48 1,843,584 ----a-w C:\WINDOWS\system32\win32k.sys
2007-03-02 21:16:31 147,456 ----a-w C:\WINDOWS\system32\vbzip10.dll
2007-03-02 21:06:24 63 ----a-w C:\WINDOWS\system32\yyd.bat
2007-03-02 21:06:19 75 ----a-w C:\WINDOWS\system32\n.bat
2007-03-02 21:06:04 256 ----a-w C:\WINDOWS\system32\x.dat
2007-03-02 21:06:01 35,328 ----a-w C:\WINDOWS\system32\xtz.exe
2007-03-02 21:05:32 90,112 ----a-w C:\WINDOWS\system32\smsc.exe
2007-03-02 21:04:46 32,768 ----a-w C:\WINDOWS\system32\setup9x.exe
(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll [2007-03-14 03:43]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"kis"="C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe" [2006-03-24 20:09]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 07:00]
"ATI Launchpad"="C:\Program Files\ATI Multimedia\main\LaunchPd.exe" [2003-01-20 23:57]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
AutoRun\command- E:\setup.exe
*Newly Created Service* -HTTPFILTER
********************************************************************
catchme 0.3.681 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-05-26 23:57:06
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
********************************************************************
Completion time: 2007-05-26 23:58:46 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-05-26 23:58
--- E O F ---
Logfile of HijackThis v1.99.1
Scan saved at 12:03:36 AM, on 5/27/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Multimedia\main\LaunchPd.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.shsu.edu/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O4 - HKLM\..\Run: [kis] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\LaunchPd.exe"
O8 - Extra context menu item: Add to Kaspersky Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\\ie_banner_deny.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Web Anti-Virus - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\scieplugin.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1170817119390
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} (Java Plug-in 1.5.0_11) -
O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Kaspersky Internet Security 6.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe" -r (file missing)
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)
:bigthumb: I love you guys
miekiemoes
2007-05-27, 10:15
Hi,
This is already much better, but we're not finished yet..
Open notepad and copy/paste the text in the quotebox below into it:
File::
C:\WINDOWS\yabbay.dll
C:\WINDOWS\wvvusq.dll
C:\WINDOWS\wvtrrr.dll
C:\WINDOWS\tusron.dll
C:\WINDOWS\wvttuv.dll
C:\WINDOWS\cbbbcy.dll
C:\WINDOWS\system32\ssttu.exe
C:\WINDOWS\system32\vbzip10.dll
C:\WINDOWS\system32\yyd.bat
C:\WINDOWS\system32\n.bat
C:\WINDOWS\system32\x.dat
C:\WINDOWS\system32\xtz.exe
C:\WINDOWS\system32\smsc.exe
C:\WINDOWS\system32\setup9x.exe
Folder::
C:\DOCUME~1\Josh\APPLIC~1\Viewpoint
C:\VundoFix Backups
C:\bintheredunthat
Save this as ComboFix-Do.txt
Then drag the ComboFix-Do.txt into ComboFix.exe as you see in the screenshot below.
http://img.photobucket.com/albums/v666/sUBs/Combo-Do.gif
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog.
Extra addition..
Go to next site:
http://www.virustotal.com/en/indexf.html
On top you'll find 'Browse'
Click the browse button and browse to next file:
C:\WINDOWS\Aktivierungscode.exe
Click open.
Then click the 'Send' button next to it.
This will scan the file. Please be patient.
Once scanned, copy and paste the results in your next reply.
I think it's related with Toshiba, since it's created the same time as the other related files, however I want to be sure.
Also, rightclick Aktivierungscode.exe and let me know what's present in its properties under version.
cool_boy_86_2004
2007-05-27, 17:39
Hello again!!!
"Josh" - 2007-05-27 9:49:24 Service Pack 2
ComboFix 07-05.27.V - Running from: "C:\Documents and Settings\Josh\"
Command switches used :: ""C:\Documents and Settings\Josh\Desktop\Fix\ComboFix-Do.txt""
(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
"C:\DOCUME~1\Josh\APPLIC~1\Viewpoint\Viewpoint Media Player\Resources\UpdateVersionList_v2.mtx"
"C:\DOCUME~1\Josh\APPLIC~1\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_00\URLCache.ini"
"C:\DOCUME~1\Josh\APPLIC~1\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_01\409417504.mtj&p2=1&p3=08788768127688675067271500376989&p4=0"
"C:\DOCUME~1\Josh\APPLIC~1\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_01\URLCache.ini"
"C:\DOCUME~1\Josh\APPLIC~1\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_02\URLCache.ini"
"C:\DOCUME~1\Josh\APPLIC~1\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_03\URLCache.ini"
"C:\VundoFix Backups\lkjkmp.ini.bad"
"C:\VundoFix Backups\pmkjkl.dll.bad"
"C:\WINDOWS\yabbay.dll"
"C:\WINDOWS\wvvusq.dll"
"C:\WINDOWS\wvtrrr.dll"
"C:\WINDOWS\tusron.dll"
"C:\WINDOWS\wvttuv.dll"
"C:\WINDOWS\cbbbcy.dll"
"C:\WINDOWS\system32\ssttu.exe"
"C:\WINDOWS\system32\vbzip10.dll"
"C:\WINDOWS\system32\yyd.bat"
"C:\WINDOWS\system32\n.bat"
"C:\WINDOWS\system32\x.dat"
"C:\WINDOWS\system32\xtz.exe"
"C:\WINDOWS\system32\smsc.exe"
"C:\WINDOWS\system32\setup9x.exe"
"C:\DOCUME~1\Josh\APPLIC~1\Viewpoint"
"C:\VundoFix Backups"
"C:\bintheredunthat"
((((((((((((((((((((((((((((((( Files Created from 2007-04-27 to 2007-05-27 ))))))))))))))))))))))))))))))))))
2007-05-26 23:58 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-05-24 21:55 88,203 --a------ C:\WINDOWS\agrsmmsg.exe
2007-05-24 21:55 68,096 --a------ C:\WINDOWS\agrsmdel.exe
2007-05-24 21:55 45,056 --a------ C:\WINDOWS\cfdemo.scr
2007-05-24 21:55 431,801 --a------ C:\WINDOWS\Aktivierungscode.exe
2007-05-24 21:55 20,966,970 --a------ C:\WINDOWS\cfdemo.exe
2007-05-24 21:55 2,807,808 --a------ C:\WINDOWS\alcwzrd.exe
2007-05-24 21:42 10,752 --a------ C:\WINDOWS\system32\aamd532.dll
2007-05-24 20:14 4 --a------ C:\WINDOWSRegDefrag.dat
2007-05-23 13:05 524,288 --ah----- C:\DOCUME~1\ADMINI~1\NTUSER.DAT
2007-05-23 11:59 <DIR> d-------- C:\HJT
(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-05-27 14:51:17 -------- d-----w C:\Program Files\Kaspersky Lab
2007-05-24 18:21:39 -------- d-----w C:\Program Files\ATI Technologies
2007-05-12 22:45:52 -------- d-----w C:\DOCUME~1\Josh\APPLIC~1\uTorrent
2007-04-18 23:01:02 -------- d-----w C:\Program Files\LimeWire
2007-04-18 22:32:36 -------- d-----w C:\DOCUME~1\Josh\APPLIC~1\Systweak
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-12 17:40:56 -------- d-----w C:\DOCUME~1\Josh\APPLIC~1\Ahead
2007-04-05 04:16:39 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-04-05 04:16:39 -------- d-----w C:\Program Files\Google
2007-04-01 03:37:49 -------- d-----w C:\DOCUME~1\Josh\APPLIC~1\ATI MMC
2007-03-17 13:43:01 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll
2007-03-08 15:36:28 577,536 ----a-w C:\WINDOWS\system32\user32.dll
2007-03-08 15:36:28 40,960 ----a-w C:\WINDOWS\system32\mf3216.dll
2007-03-08 15:36:28 281,600 ----a-w C:\WINDOWS\system32\gdi32.dll
2007-03-08 13:47:48 1,843,584 ----a-w C:\WINDOWS\system32\win32k.sys
(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll [2007-03-14 03:43]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 07:00]
"ATI Launchpad"="C:\Program Files\ATI Multimedia\main\LaunchPd.exe" [2003-01-20 23:57]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
AutoRun\command- E:\setup.exe
*Newly Created Service* -HTTPFILTER
********************************************************************
catchme 0.3.681 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-05-27 09:52:07
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
********************************************************************
Completion time: 2007-05-27 9:52:50
C:\ComboFix-quarantined-files.txt ... 2007-05-27 09:52
C:\ComboFix2.txt ... 2007-05-26 23:58
--- E O F ---
Logfile of HijackThis v1.99.1
Scan saved at 10:27:59 AM, on 5/27/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Multimedia\main\LaunchPd.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\HJT\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.shsu.edu/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\LaunchPd.exe"
O8 - Extra context menu item: Add to Kaspersky Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\\ie_banner_deny.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Web Anti-Virus - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\scieplugin.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1170817119390
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} (Java Plug-in 1.5.0_11) -
O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Kaspersky Internet Security 6.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe" -r (file missing)
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)
Complete scanning result of "Aktivierungscode.exe", received in VirusTotal at 05.27.2007, 17:15:04 (CET).
Antivirus Version Update Result
AhnLab-V3 2007.5.24.0 05.25.2007 no virus found
AntiVir 7.4.0.27 05.25.2007 no virus found
Authentium 4.93.8 05.23.2007 no virus found
Avast 4.7.997.0 05.27.2007 no virus found
AVG 7.5.0.467 05.27.2007 no virus found
BitDefender 7.2 05.27.2007 no virus found
CAT-QuickHeal 9.00 05.26.2007 no virus found
ClamAV devel-20070416 05.27.2007 no virus found
DrWeb 4.33 05.26.2007 no virus found
eSafe 7.0.15.0 05.24.2007 no virus found
eTrust-Vet 30.7.3665 05.26.2007 no virus found
Ewido 4.0 05.27.2007 no virus found
FileAdvisor 1 05.27.2007 No threat detected
Fortinet 2.85.0.0 05.27.2007 no virus found
F-Prot 4.3.2.48 05.25.2007 no virus found
F-Secure 6.70.13030.0 05.27.2007 no virus found
Ikarus T3.1.1.8 05.27.2007 no virus found
Kaspersky 4.0.2.24 05.27.2007 no virus found
McAfee 5039 05.25.2007 no virus found
Microsoft 1.2503 05.27.2007 no virus found
NOD32v2 2292 05.25.2007 no virus found
Norman 5.80.02 05.25.2007 no virus found
Panda 9.0.0.4 05.27.2007 no virus found
Prevx1 V2 05.27.2007 Covert.Sys.Exec
Sophos 4.18.0 05.25.2007 no virus found
Sunbelt 2.2.907.0 05.26.2007 no virus found
Symantec 10 05.27.2007 no virus found
TheHacker 6.1.6.123 05.25.2007 no virus found
VBA32 3.12.0 05.26.2007 no virus found
VirusBuster 4.3.23:9 05.26.2007 no virus found
Webwasher-Gateway 6.0.1 05.27.2007 no virus found
Aditional Information
File size: 431801 bytes
MD5: 74cf1131b6cf270098ef550369723256
SHA1: a71d74f72cefd42e08b60e284b4c501d72d0a290
packers: BINARYRES
Bit9 info: http://fileadvisor.bit9.com/services/extinfo.aspx?md5=74cf1131b6cf270098ef550369723256
Prevx info: http://fileinfo.prevx.com/fileinfo.asp?PXC=e93261390837
Not sure what you wanted for this last thing I cant find a verson tab uder properties and i cand copy anything under the geniral tab!! i think it is some kind of a key genirator for kispersky but i cant tell for certian i dont where it came from and i dont think i need it if you think its bad!! just my 2 cents but your the smart one here LOL i really appreaciat everything youve done so far and you guys are great!!:bigthumb:
miekiemoes
2007-05-27, 19:42
Hi,
Your log looks clean again. :)
I don't think that the Aktivierungscode.exe a keygenerator - I rather think it's related with your Toshiba Configfree, since it's created the same time as the other files related with Toshiba Configfree.
But, so, I assume you are using a pirated version of Kaspersky, since you're mentioning the keygenerator... :(
Ever wondered how you got infected?
If you visit sites to get pirated software - or download via p2p, use cracks, keygens, you'll ALWAYS get infected. This not only because of the crack itself, but because one single click entering that site may already download and install a huge malware bundle.
You really have to change your surfing habits though, because these malware bundles may contain a keylogger, collecting all your passwords and installing other random malware, compromising your system including infecting other computers. And this all, because you visited some illegal sites.
Also, keep in mind, malware DAMAGES A LOT! And the damage can't always be repaired, so a format and reinstall is the only solution in such cases.
So is it really worth it? Get illegal software for "free", but compromise/break your computer instead.... :(
Better to avoid this instead and change your surfing habits. Then this wouldn't have happened.
Actually the "funny" part is that you get keygens for Security Software - so you take a risk and your computer gets infected and then you use the pirated software to clean it... :(
If you didn't take the risk, there was no need to clean anything ;)
Anyway,
Please read my Prevention page (http://users.telenet.be/bluepatchy/miekiemoes/prevention.html) with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here (http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html).
Happy Surfing again!
cool_boy_86_2004
2007-05-27, 20:26
At one time i was using pirated Software!! I did it to find out how good the system was before i bought it I now am aware thanks to you and many other reading how stupid all that was!!! thank you very much for your help. I have a laptop that i dont use very often I think has some issues from a long time ago that i have just lived with !! Would you be willing to help me from here or should i just repost a new thread with an all new HJT Log???
miekiemoes
2007-05-27, 20:36
Hi,
It may be better to start a new thread for that, to keep things organized. Then me or someone else will take a look at it :)
And you're most welcome - now make sure this won't happen again. ;)